FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 256928
Description This article explains Site-to-Site IPsec IKE and ESP traffic routing behavior when the tunnel is bound to a loopback interface where VPN cannot establish in asymmetric routing scenario.
Scope FortiGate.


FortiOS IKE (IPsec phase1) and ESP (IPsec phase2) are separate sessions when nat-traversal is not enforced, therefore when IPsec VPN is bound to a loopback interface and there are redundant ISPs (ECMP), then by design IKE and ESP traffic could be asymmetric and follow different paths where inbound and outbound IKE traffic could be routed over different interfaces, on some implementations this asymmetric behavior could cause VPN tunnel fails to establish.



-  Since Version 6.2.8, 6.4.9, and 7.0.0 and upward, a new command ‘ loopback-asymroute’ was added to change this behavior, this CLI command is visible only when bound-interface is a loopback type:


config vpn ipsec phase1-interface

    edit <name>

        set interface <loopback interface name>

        set loopback-asymroute {enable | disable} **




- enable:(Default) Allow ingress/egress IKE traffic to be routed over different interfaces

- disable: Ingress/egress IKE traffic must be routed over the same interface.